The Coming Wave of California Consumer Privacy Act Lawsuits

ince the beginning of the year, industry leaders and counsel advising clients on data security issues have held their collective breath in anticipation of the tsunami of California Consumer Privacy Act (CCPA) lawsuits. The CPPA, ballyhooed over the past few years as the next big thing in consumer litigation, is now the law in California. The most comprehensive cybersecurity and information privacy statutory scheme in the nation, the CCPA creates an express private right of action for individuals whose data is breached by hackers and mandates that significant penalties be assessed against the company that violates cybersecurity standards.While no CCPA lawsuits were filed in January, a consumer privacy lawsuit filed February 3 in the U.S. District Court for the Northern District of California has garnered a great deal of attention. Touted by some as the “first” CCPA case, a closer reading of the Complaint filed in Barnes v. Hanna Anderson, LLC (No. 3:20-CV-00812) shows that the plaintiff does not assert a direct claim under the statute. There is a simple reason for this. The data breach alleged in Barnes occurred in 2019, before the effective date of the CCPA. Although the Complaint alleges acts or omissions in 2020 by stating that the retailer did not tell customers or the Attorneys General about this in January, the fact that the data breach occurred before the effective date of the CCPA would render a direct claim subject to a motion to dismiss.